CFO-Less Ubiquiti Tricked Into Wiring Hackers Large Sums

Ubiquiti Networks in June discovered it was the victim of a roughly $47 million "business email fraud," where cybercriminals tricked employees into wiring money out of its Hong Kong-incorporated subsidiary. The FBI said companies around the globe lost more than $1 billion from October 2013 through June 2015 as a result of such schemes.

Associated Press

Ubiquiti Networks has been without a permanent finance chief since late April. In early June, it discovered that an unknown party stole $46.7 million from Ubiquiti’s Hong Kong-incorporated subsidiary.

It appears to be just the latest example of cybercriminals exploiting publicly available information and weaknesses in corporate email systems to trick businesses into transferring large sums of money into fraudulent bank accounts, in schemes known as “corporate account takeover” or “business email fraud.”

The FBI recommends businesses adopt two-factor email authentication and establish other communications channels such as telephone calls to verify large transactions before they are approved.

Former CFO Craig Foster resigned on April 21, and Ubiquiti said at the time that Mr. Chakravarthy would handle its principal accounting and financial officer duties. It said Hartley Nisenbaum, its executive vice president of operations and legal affairs, would assume the interim CFO role until a permanent replacement was found.

A representative for Ubiquiti, a network communications company based in San Jose, Calif., didn’t immediately respond to a request for comment. A spokesperson for digital-marketing-technology company Amobee, Mr. Foster’s current employer, couldn’t immediately be reached.

“It’s an embarrassing situation,” Robert Pera, Ubiquiti founder and chief executive, said on a late-Thursday conference call with analysts. “It seems to be an isolated incident that basically a couple individuals within the accounting group displayed incredibly poor judgment and incompetence.”

“After an incident like this, you’ve got to really question the overall culture and accountability,” Mr. Pera said when asked why the company chose to outsource its accounting and financial duties to FTI and Mr. Spragg. He said it continues to look for a permanent CFO and the theft won’t interfere with its liquidity or its ability to close the current quarter’s books in a timely fashion.

When the company discovered the theft on June 5, it notified authorities and has already recovered $8.1 million of the money that was fraudulently transferred. Another $6.8 million is subject to legal injunction and “reasonably expected to be recovered by the company in due course.” Ubiquiti is continuing to pursue the remaining $31.8 million but cannot predict the outcome, or whether it will be able to collect insurance on unrecovered funds.

It said it believes the matter was an isolated incident and that neither its technology systems nor data were compromised, and noted that its audit committee conducted an investigation that wrapped up in mid-July.

While it didn’t find evidence any evidence that its systems were penetrated or that any of its employees were involved, Ubiquiti said its internal controls were ineffective and it is taking steps to address the material weaknesses.

CORRECTION: Ubiquiti Networks was tricked into wiring hackers money. The article has been updated to correct two instances where the name was misspelled.